1ovn-ic-nbctl(8) OVN Manual ovn-ic-nbctl(8)
2
3
4
6 ovn-ic-nbctl - Open Virtual Network interconnection northbound db man‐
7 agement utility
8
10 ovn-ic-nbctl [options] command [arg...]
11
13 This utility can be used to manage the OVN interconnection northbound
14 database.
15
17 init Initializes the database, if it is empty. If the database has
18 already been initialized, this command has no effect.
19
20 show Prints a brief overview of the database contents.
21
23 [--may-exist] ts-add switch
24 Creates a new transit switch named switch.
25
26 Transit switch names must be unique. Adding a duplicated name
27 results in error. With --may-exist, adding a duplicate name suc‐
28 ceeds but does not create a new transit switch.
29
30 [--if-exists] ts-del switch
31 Deletes switch. It is an error if switch does not exist, unless
32 --if-exists is specified.
33
34 ts-list
35 Lists all existing switches on standard output, one per line.
36
38 These commands query and modify the contents of ovsdb tables. They are
39 a slight abstraction of the ovsdb interface and as such they operate at
40 a lower level than other ovn-ic-nbctl commands.
41
42 Identifying Tables, Records, and Columns
43
44 Each of these commands has a table parameter to identify a table within
45 the database. Many of them also take a record parameter that identifies
46 a particular record within a table. The record parameter may be the
47 UUID for a record, which may be abbreviated to its first 4 (or more)
48 hex digits, as long as that is unique. Many tables offer additional
49 ways to identify records. Some commands also take column parameters
50 that identify a particular field within the records in a table.
51
52 For a list of tables and their columns, see ovn-ic-nb(5) or see the ta‐
53 ble listing from the --help option.
54
55 Record names must be specified in full and with correct capitalization,
56 except that UUIDs may be abbreviated to their first 4 (or more) hex
57 digits, as long as that is unique within the table. Names of tables and
58 columns are not case-sensitive, and - and _ are treated interchange‐
59 ably. Unique abbreviations of table and column names are acceptable,
60 e.g. t or transit is sufficient to identify the Transit_Switch table.
61
62 Database Values
63
64 Each column in the database accepts a fixed type of data. The currently
65 defined basic types, and their representations, are:
66
67 integer
68 A decimal integer in the range -2**63 to 2**63-1, inclu‐
69 sive.
70
71 real A floating-point number.
72
73 Boolean
74 True or false, written true or false, respectively.
75
76 string An arbitrary Unicode string, except that null bytes are
77 not allowed. Quotes are optional for most strings that
78 begin with an English letter or underscore and consist
79 only of letters, underscores, hyphens, and periods. How‐
80 ever, true and false and strings that match the syntax of
81 UUIDs (see below) must be enclosed in double quotes to
82 distinguish them from other basic types. When double
83 quotes are used, the syntax is that of strings in JSON,
84 e.g. backslashes may be used to escape special charac‐
85 ters. The empty string must be represented as a pair of
86 double quotes ("").
87
88 UUID Either a universally unique identifier in the style of
89 RFC 4122, e.g. f81d4fae-7dec-11d0-a765-00a0c91e6bf6, or
90 an @name defined by a get or create command within the
91 same ovs-vsctl invocation.
92
93 Multiple values in a single column may be separated by spaces or a sin‐
94 gle comma. When multiple values are present, duplicates are not al‐
95 lowed, and order is not important. Conversely, some database columns
96 can have an empty set of values, represented as [], and square brackets
97 may optionally enclose other non-empty sets or single values as well.
98
99 A few database columns are ``maps’’ of key-value pairs, where the key
100 and the value are each some fixed database type. These are specified in
101 the form key=value, where key and value follow the syntax for the col‐
102 umn’s key type and value type, respectively. When multiple pairs are
103 present (separated by spaces or a comma), duplicate keys are not al‐
104 lowed, and again the order is not important. Duplicate values are al‐
105 lowed. An empty map is represented as {}. Curly braces may optionally
106 enclose non-empty maps as well (but use quotes to prevent the shell
107 from expanding other-config={0=x,1=y} into other-config=0=x other-con‐
108 fig=1=y, which may not have the desired effect).
109
110 Database Command Syntax
111
112 [--if-exists] [--columns=column[,column]...] list table
113 [record]...
114 Lists the data in each specified record. If no records
115 are specified, lists all the records in table.
116
117 If --columns is specified, only the requested columns are
118 listed, in the specified order. Otherwise, all columns
119 are listed, in alphabetical order by column name.
120
121 Without --if-exists, it is an error if any specified
122 record does not exist. With --if-exists, the command ig‐
123 nores any record that does not exist, without producing
124 any output.
125
126 [--columns=column[,column]...] find table [col‐
127 umn[:key]=value]...
128 Lists the data in each record in table whose column
129 equals value or, if key is specified, whose column con‐
130 tains a key with the specified value. The following oper‐
131 ators may be used where = is written in the syntax sum‐
132 mary:
133
134 = != < > <= >=
135 Selects records in which column[:key] equals, does
136 not equal, is less than, is greater than, is less
137 than or equal to, or is greater than or equal to
138 value, respectively.
139
140 Consider column[:key] and value as sets of ele‐
141 ments. Identical sets are considered equal. Other‐
142 wise, if the sets have different numbers of ele‐
143 ments, then the set with more elements is consid‐
144 ered to be larger. Otherwise, consider a element
145 from each set pairwise, in increasing order within
146 each set. The first pair that differs determines
147 the result. (For a column that contains key-value
148 pairs, first all the keys are compared, and values
149 are considered only if the two sets contain iden‐
150 tical keys.)
151
152 {=} {!=}
153 Test for set equality or inequality, respectively.
154
155 {<=} Selects records in which column[:key] is a subset
156 of value. For example, flood-vlans{<=}1,2 selects
157 records in which the flood-vlans column is the
158 empty set or contains 1 or 2 or both.
159
160 {<} Selects records in which column[:key] is a proper
161 subset of value. For example, flood-vlans{<}1,2
162 selects records in which the flood-vlans column is
163 the empty set or contains 1 or 2 but not both.
164
165 {>=} {>}
166 Same as {<=} and {<}, respectively, except that
167 the relationship is reversed. For example,
168 flood-vlans{>=}1,2 selects records in which the
169 flood-vlans column contains both 1 and 2.
170
171 The following operators are available only in Open
172 vSwitch 2.16 and later:
173
174 {in} Selects records in which every element in col‐
175 umn[:key] is also in value. (This is the same as
176 {<=}.)
177
178 {not-in}
179 Selects records in which every element in col‐
180 umn[:key] is not in value.
181
182 For arithmetic operators (= != < > <= >=), when key is
183 specified but a particular record’s column does not con‐
184 tain key, the record is always omitted from the results.
185 Thus, the condition other-config:mtu!=1500 matches
186 records that have a mtu key whose value is not 1500, but
187 not those that lack an mtu key.
188
189 For the set operators, when key is specified but a par‐
190 ticular record’s column does not contain key, the compar‐
191 ison is done against an empty set. Thus, the condition
192 other-config:mtu{!=}1500 matches records that have a mtu
193 key whose value is not 1500 and those that lack an mtu
194 key.
195
196 Don’t forget to escape < or > from interpretation by the
197 shell.
198
199 If --columns is specified, only the requested columns are
200 listed, in the specified order. Otherwise all columns are
201 listed, in alphabetical order by column name.
202
203 The UUIDs shown for rows created in the same ovs-vsctl
204 invocation will be wrong.
205
206 [--if-exists] [--id=@name] get table record [column[:key]]...
207 Prints the value of each specified column in the given
208 record in table. For map columns, a key may optionally be
209 specified, in which case the value associated with key in
210 the column is printed, instead of the entire map.
211
212 Without --if-exists, it is an error if record does not
213 exist or key is specified, if key does not exist in
214 record. With --if-exists, a missing record yields no out‐
215 put and a missing key prints a blank line.
216
217 If @name is specified, then the UUID for record may be
218 referred to by that name later in the same ovs-vsctl in‐
219 vocation in contexts where a UUID is expected.
220
221 Both --id and the column arguments are optional, but usu‐
222 ally at least one or the other should be specified. If
223 both are omitted, then get has no effect except to verify
224 that record exists in table.
225
226 --id and --if-exists cannot be used together.
227
228 [--if-exists] set table record column[:key]=value...
229 Sets the value of each specified column in the given
230 record in table to value. For map columns, a key may op‐
231 tionally be specified, in which case the value associated
232 with key in that column is changed (or added, if none ex‐
233 ists), instead of the entire map.
234
235 Without --if-exists, it is an error if record does not
236 exist. With --if-exists, this command does nothing if
237 record does not exist.
238
239 [--if-exists] add table record column [key=]value...
240 Adds the specified value or key-value pair to column in
241 record in table. If column is a map, then key is re‐
242 quired, otherwise it is prohibited. If key already exists
243 in a map column, then the current value is not replaced
244 (use the set command to replace an existing value).
245
246 Without --if-exists, it is an error if record does not
247 exist. With --if-exists, this command does nothing if
248 record does not exist.
249
250 [--if-exists] remove table record column value...
251
252 [--if-exists] remove table record column key...
253
254 [--if-exists] remove table record column key=value...
255 Removes the specified values or key-value pairs from col‐
256 umn in record in table. The first form applies to columns
257 that are not maps: each specified value is removed from
258 the column. The second and third forms apply to map col‐
259 umns: if only a key is specified, then any key-value pair
260 with the given key is removed, regardless of its value;
261 if a value is given then a pair is removed only if both
262 key and value match.
263
264 It is not an error if the column does not contain the
265 specified key or value or pair.
266
267 Without --if-exists, it is an error if record does not
268 exist. With --if-exists, this command does nothing if
269 record does not exist.
270
271 [--if-exists] clear table record column...
272 Sets each column in record in table to the empty set or
273 empty map, as appropriate. This command applies only to
274 columns that are allowed to be empty.
275
276 Without --if-exists, it is an error if record does not
277 exist. With --if-exists, this command does nothing if
278 record does not exist.
279
280 [--id=@name] create table column[:key]=value...
281 Creates a new record in table and sets the initial values
282 of each column. Columns not explicitly set will receive
283 their default values. Outputs the UUID of the new row.
284
285 If @name is specified, then the UUID for the new row may
286 be referred to by that name elsewhere in the same \*(PN
287 invocation in contexts where a UUID is expected. Such
288 references may precede or follow the create command.
289
290 Caution (ovs-vsctl as example)
291 Records in the Open vSwitch database are signifi‐
292 cant only when they can be reached directly or in‐
293 directly from the Open_vSwitch table. Except for
294 records in the QoS or Queue tables, records that
295 are not reachable from the Open_vSwitch table are
296 automatically deleted from the database. This
297 deletion happens immediately, without waiting for
298 additional ovs-vsctl commands or other database
299 activity. Thus, a create command must generally be
300 accompanied by additional commands within the same
301 ovs-vsctl invocation to add a chain of references
302 to the newly created record from the top-level
303 Open_vSwitch record. The EXAMPLES section gives
304 some examples that show how to do this.
305
306 [--if-exists] destroy table record...
307 Deletes each specified record from table. Unless --if-ex‐
308 ists is specified, each records must exist.
309
310 --all destroy table
311 Deletes all records from the table.
312
313 Caution (ovs-vsctl as example)
314 The destroy command is only useful for records in
315 the QoS or Queue tables. Records in other tables
316 are automatically deleted from the database when
317 they become unreachable from the Open_vSwitch ta‐
318 ble. This means that deleting the last reference
319 to a record is sufficient for deleting the record
320 itself. For records in these tables, destroy is
321 silently ignored. See the EXAMPLES section below
322 for more information.
323
324 wait-until table record [column[:key]=value]...
325 Waits until table contains a record named record whose
326 column equals value or, if key is specified, whose column
327 contains a key with the specified value. This command
328 supports the same operators and semantics described for
329 the find command above.
330
331 If no column[:key]=value arguments are given, this com‐
332 mand waits only until record exists. If more than one
333 such argument is given, the command waits until all of
334 them are satisfied.
335
336 Caution (ovs-vsctl as example)
337 Usually wait-until should be placed at the begin‐
338 ning of a set of ovs-vsctl commands. For example,
339 wait-until bridge br0 -- get bridge br0 data‐
340 path_id waits until a bridge named br0 is created,
341 then prints its datapath_id column, whereas get
342 bridge br0 datapath_id -- wait-until bridge br0
343 will abort if no bridge named br0 exists when
344 ovs-vsctl initially connects to the database.
345
346 Consider specifying --timeout=0 along with --wait-until,
347 to prevent ovs-vsctl from terminating after waiting only
348 at most 5 seconds.
349
350 comment [arg]...
351 This command has no effect on behavior, but any database
352 log record created by the command will include the com‐
353 mand and its arguments.
354
356 get-connection
357 Prints the configured connection(s).
358
359 del-connection
360 Deletes the configured connection(s).
361
362 [--inactivity-probe=msecs] set-connection target...
363 Sets the configured manager target or targets. Use --inactiv‐
364 ity-probe=msecs to override the default idle connection inactiv‐
365 ity probe time. Use 0 to disable inactivity probes.
366
368 get-ssl
369 Prints the SSL configuration.
370
371 del-ssl
372 Deletes the current SSL configuration.
373
374 [--bootstrap] set-ssl private-key certificate ca-cert [ssl-protocol-
375 list [ssl-cipher-list]]
376 Sets the SSL configuration.
377
379 --db database
380 The OVSDB database remote to contact. If the OVN_IC_NB_DB envi‐
381 ronment variable is set, its value is used as the default. Oth‐
382 erwise, the default is unix:/ovn_ic_nb_db.sock, but this default
383 is unlikely to be useful outside of single-machine OVN test en‐
384 vironments.
385
386 --leader-only
387 --no-leader-only
388 By default, or with --leader-only, when the database server is a
389 clustered database, ovn-ic-nbctl will avoid servers other than the
390 cluster leader. This ensures that any data that ovn-ic-nbctl reads
391 and reports is up-to-date. With --no-leader-only, ovn-ic-nbctl
392 will use any server in the cluster, which means that for read-only
393 transactions it can report and act on stale data (transactions
394 that modify the database are always serialized even with
395 --no-leader-only). Refer to Understanding Cluster Consistency in
396 ovsdb(7) for more information.
397
399 -v[spec]
400 --verbose=[spec]
401 Sets logging levels. Without any spec, sets the log level for ev‐
402 ery module and destination to dbg. Otherwise, spec is a list of
403 words separated by spaces or commas or colons, up to one from each
404 category below:
405
406 • A valid module name, as displayed by the vlog/list command
407 on ovs-appctl(8), limits the log level change to the speci‐
408 fied module.
409
410 • syslog, console, or file, to limit the log level change to
411 only to the system log, to the console, or to a file, re‐
412 spectively. (If --detach is specified, the daemon closes
413 its standard file descriptors, so logging to the console
414 will have no effect.)
415
416 On Windows platform, syslog is accepted as a word and is
417 only useful along with the --syslog-target option (the word
418 has no effect otherwise).
419
420 • off, emer, err, warn, info, or dbg, to control the log
421 level. Messages of the given severity or higher will be
422 logged, and messages of lower severity will be filtered
423 out. off filters out all messages. See ovs-appctl(8) for a
424 definition of each log level.
425
426 Case is not significant within spec.
427
428 Regardless of the log levels set for file, logging to a file will
429 not take place unless --log-file is also specified (see below).
430
431 For compatibility with older versions of OVS, any is accepted as a
432 word but has no effect.
433
434 -v
435 --verbose
436 Sets the maximum logging verbosity level, equivalent to --ver‐
437 bose=dbg.
438
439 -vPATTERN:destination:pattern
440 --verbose=PATTERN:destination:pattern
441 Sets the log pattern for destination to pattern. Refer to ovs-ap‐
442 pctl(8) for a description of the valid syntax for pattern.
443
444 -vFACILITY:facility
445 --verbose=FACILITY:facility
446 Sets the RFC5424 facility of the log message. facility can be one
447 of kern, user, mail, daemon, auth, syslog, lpr, news, uucp, clock,
448 ftp, ntp, audit, alert, clock2, local0, local1, local2, local3,
449 local4, local5, local6 or local7. If this option is not specified,
450 daemon is used as the default for the local system syslog and lo‐
451 cal0 is used while sending a message to the target provided via
452 the --syslog-target option.
453
454 --log-file[=file]
455 Enables logging to a file. If file is specified, then it is used
456 as the exact name for the log file. The default log file name used
457 if file is omitted is /var/log/ovn/program.log.
458
459 --syslog-target=host:port
460 Send syslog messages to UDP port on host, in addition to the sys‐
461 tem syslog. The host must be a numerical IP address, not a host‐
462 name.
463
464 --syslog-method=method
465 Specify method as how syslog messages should be sent to syslog
466 daemon. The following forms are supported:
467
468 • libc, to use the libc syslog() function. Downside of using
469 this options is that libc adds fixed prefix to every mes‐
470 sage before it is actually sent to the syslog daemon over
471 /dev/log UNIX domain socket.
472
473 • unix:file, to use a UNIX domain socket directly. It is pos‐
474 sible to specify arbitrary message format with this option.
475 However, rsyslogd 8.9 and older versions use hard coded
476 parser function anyway that limits UNIX domain socket use.
477 If you want to use arbitrary message format with older
478 rsyslogd versions, then use UDP socket to localhost IP ad‐
479 dress instead.
480
481 • udp:ip:port, to use a UDP socket. With this method it is
482 possible to use arbitrary message format also with older
483 rsyslogd. When sending syslog messages over UDP socket ex‐
484 tra precaution needs to be taken into account, for example,
485 syslog daemon needs to be configured to listen on the spec‐
486 ified UDP port, accidental iptables rules could be inter‐
487 fering with local syslog traffic and there are some secu‐
488 rity considerations that apply to UDP sockets, but do not
489 apply to UNIX domain sockets.
490
491 • null, to discard all messages logged to syslog.
492
493 The default is taken from the OVS_SYSLOG_METHOD environment vari‐
494 able; if it is unset, the default is libc.
495
497 These options control the format of output from the list and find com‐
498 mands.
499
500 -f format
501 --format=format
502 Sets the type of table formatting. The following types of
503 format are available:
504
505 table 2-D text tables with aligned columns.
506
507 list (default)
508 A list with one column per line and rows separated
509 by a blank line.
510
511 html HTML tables.
512
513 csv Comma-separated values as defined in RFC 4180.
514
515 json JSON format as defined in RFC 4627. The output is a
516 sequence of JSON objects, each of which corresponds
517 to one table. Each JSON object has the following
518 members with the noted values:
519
520 caption
521 The table’s caption. This member is omitted
522 if the table has no caption.
523
524 headings
525 An array with one element per table column.
526 Each array element is a string giving the
527 corresponding column’s heading.
528
529 data An array with one element per table row. Each
530 element is also an array with one element per
531 table column. The elements of this second-
532 level array are the cells that constitute the
533 table. Cells that represent OVSDB data or
534 data types are expressed in the format de‐
535 scribed in the OVSDB specification; other
536 cells are simply expressed as text strings.
537
538 -d format
539 --data=format
540 Sets the formatting for cells within output tables unless
541 the table format is set to json, in which case json format‐
542 ting is always used when formatting cells. The following
543 types of format are available:
544
545 string (default)
546 The simple format described in the Database Values
547 section of ovs-vsctl(8).
548
549 bare The simple format with punctuation stripped off: []
550 and {} are omitted around sets, maps, and empty col‐
551 umns, items within sets and maps are space-sepa‐
552 rated, and strings are never quoted. This format may
553 be easier for scripts to parse.
554
555 json The RFC 4627 JSON format as described above.
556
557 --no-headings
558 This option suppresses the heading row that otherwise ap‐
559 pears in the first row of table output.
560
561 --pretty
562 By default, JSON in output is printed as compactly as pos‐
563 sible. This option causes JSON in output to be printed in a
564 more readable fashion. Members of objects and elements of
565 arrays are printed one per line, with indentation.
566
567 This option does not affect JSON in tables, which is always
568 printed compactly.
569
570 --bare
571 Equivalent to --format=list --data=bare --no-headings.
572
573 PKI Options
574 PKI configuration is required to use SSL for the connection to the
575 database.
576
577 -p privkey.pem
578 --private-key=privkey.pem
579 Specifies a PEM file containing the private key used as
580 identity for outgoing SSL connections.
581
582 -c cert.pem
583 --certificate=cert.pem
584 Specifies a PEM file containing a certificate that certi‐
585 fies the private key specified on -p or --private-key to be
586 trustworthy. The certificate must be signed by the certifi‐
587 cate authority (CA) that the peer in SSL connections will
588 use to verify it.
589
590 -C cacert.pem
591 --ca-cert=cacert.pem
592 Specifies a PEM file containing the CA certificate for ver‐
593 ifying certificates presented to this program by SSL peers.
594 (This may be the same certificate that SSL peers use to
595 verify the certificate specified on -c or --certificate, or
596 it may be a different one, depending on the PKI design in
597 use.)
598
599 -C none
600 --ca-cert=none
601 Disables verification of certificates presented by SSL
602 peers. This introduces a security risk, because it means
603 that certificates cannot be verified to be those of known
604 trusted hosts.
605
606 --bootstrap-ca-cert=cacert.pem
607 When cacert.pem exists, this option has the same effect
608 as -C or --ca-cert. If it does not exist, then the exe‐
609 cutable will attempt to obtain the CA certificate from
610 the SSL peer on its first SSL connection and save it to
611 the named PEM file. If it is successful, it will immedi‐
612 ately drop the connection and reconnect, and from then on
613 all SSL connections must be authenticated by a certifi‐
614 cate signed by the CA certificate thus obtained.
615
616 This option exposes the SSL connection to a man-in-the-
617 middle attack obtaining the initial CA certificate, but
618 it may be useful for bootstrapping.
619
620 This option is only useful if the SSL peer sends its CA
621 certificate as part of the SSL certificate chain. The SSL
622 protocol does not require the server to send the CA cer‐
623 tificate.
624
625 This option is mutually exclusive with -C and --ca-cert.
626
627 Other Options
628 -h
629 --help
630 Prints a brief help message to the console.
631
632 -V
633 --version
634 Prints version information to the console.
635
636
637
638OVN 21.09.0 ovn-ic-nbctl ovn-ic-nbctl(8)